Xref: utzoo comp.unix.wizards:25314 alt.security:2398 Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sdd.hp.com!elroy.jpl.nasa.gov!jato!dave From: dave@jato.jpl.nasa.gov (Dave Hayes) Newsgroups: comp.unix.wizards,alt.security Subject: Re: BSD tty security, part 4: What You Can Look Forward To Message-ID: <1991May1.235218.20744@jato.jpl.nasa.gov> Date: 1 May 91 23:52:18 GMT References: <3600:Apr2614:04:4391@kramden.acf.nyu.edu> <13218@goofy.Apple.COM> <1991Apr30.224235.2459@jato.jpl.nasa.gov> <1384@rsi.UUCP> Reply-To: dave@elxr.jpl.nasa.gov Organization: Jet Propulsion Lab - Pasadena, CA Lines: 57 wrwalke@rsi.UUCP (William Walker) writes: >In article <1991Apr30.224235.2459@jato.jpl.nasa.gov>, dave@jato.jpl.nasa.gov (Dave Hayes) writes: >> I see what you are saying, but I have to disagree. Why has Dan even POSTED >> that such holes exist, if he is not willing to disclose the details to >> us system admins that are going to be of necessity interested in the problem? > ^^^^^^^^^^^^^ >ok, so you *are* a system admin with a legit need to know. so what's the big >deal with sending him a set of references?? I did. That didn't seem to help matters much. He claims I have no legitimate reason to know. My paycheck claims differently. >do you want every bored CS major between here and australia finding out >about those holes a week or so before you get your patch tapes from the >vendor? What patch tapes from the vendor? We'll be damn lucky to see patches from vendors in 1995! I don't trust vendors any farther than I can throw them, see my previous stuff in comp.sys.apollo for a good example of that (about the time of the HP buyout). They have no incentive to fix these holes...yet. In that sense it would be good for a few bored CS majors to get into it on the net...that'd make everybody wake up and smell the coffee. >so what do you do if you find a nifty little bug?? you tell the vendor >and CERT, CERT makes it known to it's brain/talent trust, contacts the >vendor who says "BFD". what about the guy *without* source?? how is >he ever going to get the hole patched? unless the customers pressure >the vendor, Which rarely works anyway. What are you trying to say here? >NO changes will ever be made unless it is the old "fixed >in the next release" line, send us a check.... this "approval" arrangement >also sounds kinda hokey to me, but i can't think of a better medium >between leaving gaping holes under the carpet and posting potentially >dangerous code on a public forum accessible to thousands of bored hacker >wannabe's. I don't know that posting the details of these hacks wouldn't do all of us a lot of good... These "approval" arrangements are always hokey. I personally believe that this behaivor is something left over from childhood...8) It's a cooperative universe. I help people all the time...if I was in the same position, I'd want every other sysadmin to know exactly what was broken and how to fix it (not just the latter). And that's my $2e-02. -- Dave Hayes - Network & Communications Engineering - JPL / NASA - Pasadena CA dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ames!elroy!dxh You possess only what will not be lost in a shipwreck.